Why are insider threats so difficult to detect?

Data leaks and other news events over the past few years have brought insider threats to the forefront of public attention, but most companies still lack the means or motivation to protect themselves from malicious insiders.

The effects of insider threats are simply too big to ignore. In the most recent year on record, U.S. organisations suffered $40 billion in losses due to employee theft and fraud. According to a report by the market research company Forrester, 46 per cent of nearly 200 technology decision-makers reported internal incidents as the most common cause of the breaches they experienced in the past year. Out of those respondents, almost half said the breach stemmed from a malicious insider.

Why are the attackers winning?

The answer is simple: most organisations have no procedure in place to deal with the insider threat. One survey of 355 IT professionals found that 61 per cent said they couldn’t deter insider attacks, and 59 per cent admitted they were unable to even detect one.

Underneath the statistics, there is an uncomfortable truth. Old security models have no room for insider threats. As companies pour millions into preventing outside attackers from gaining entrance to their network, they operate under the assumption that those who are granted internal access in the first place are trustworthy.

Even if your network users have no ill intent, negligence and compromised credentials are just as dangerous as a thief. All an outside attacker has to do is ask for credentials through a phishing campaign or some other form of social engineering. If they fail, they’ve only wasted the amount of time it takes to write an email or make a phone call, but if they succeed, they suddenly have all of the privileges of a legitimate user.

Once an insider threat has the necessary access privileges, the potential for damage skyrockets. Because most organisations don’t monitor their internal network traffic, an attacker can take their time conducting reconnaissance and collecting data. Once all of the target information is packaged in a central location on the network, the attacker can then move it out of the network all at once.

By the time the alarm bells start going off, it is too late and the data is gone.

How do you catch an insider threat?

Since it is nearly impossible to stop an insider threat at the gate, early detection is key. Fortunately for us, an attack isn’t over with the initial breach. The perpetrator still has to execute a number of steps before their goal is complete, and we can stop them at any point in this process.

The first thing an organisation needs to catch an insider threat is network visibility. If firewalls are armed guards at the gate, visibility is the security camera monitoring inside the building. Internal network traffic, access logs, policy violations and more need to be watched continuously for suspicious activity. Know what a regular day looks like on your network. Know how much traffic to expect, who is expected to access sensitive information and what applications are used in the day-to-day business operation. Anything that falls outside of those bounds should be investigated.

You want to be able to identify the following activities:

Unauthorised access

Violation of organisation policies

Internal reconnaissance

Data hoarding

Data loss

Data analytics can make a huge difference here. If an organisation is large, it can be impossible to monitor network activity manually. Anything important is quickly drowned out by the plethora of other information. Using NetFlow and other network metadata, a good security analytics tool can help the relevant information rise to the top.

Secondly, keep an audit trail of network transactions for as long as is feasible. If you are struck by an insider attack, the audit trail can be used to identify how the threat operated and what assets were compromised. It may also help the authorities pursue criminal charges against the attacker.

Lastly, don’t forget that insider threats exist outside of the digital realm. Oftentimes, a malicious insider is a disgruntled employee seeking to damage the organisation or someone who just can’t resist the temptation to commit fraud or steal company secrets. These are people who interact in person with other employees, and the other employees may take notice if they are acting suspicious.

Research by the CERT Insider Threat Center indicates that insider threats typically conduct their attacks within 30 days of giving their resignation and often display certain behaviour prior to their illicit activities, such as threatening the organisation or bragging publicly about how much damage they could do.

Managers and HR representatives should be trained to recognise these behaviours and bring them to the attention of IT. In addition, when an employee turns in their resignation, security personnel should keep a close eye on their activity and ensure all access credentials are revoked.

As corporate networks expand in scope and geographic area, it has become easier for insider threats to access sensitive data and inflict catastrophic damage. While the malicious insider comes with a different set of challenges than other security concerns, organisations can protect themselves with the right tools and mindset. Early detection of these attackers can keep a security event from becoming a high-profile data breach.